Malware protection for industrial control systems

CyberArk is entering industrial networks to bring greater protection to control systems with remote access and malware detection capabilities

CyberArk has announced new cyber security capabilities for industrial control systems (ICS) to limit the progression of malware, better identify privileged account-related risks, and improve remote access security in industrial environments.

Organisations in manufacturing and pharmaceutical sectors, as well as those providing critical infrastructure like energy and water utilities, benefit from new CyberArk Privileged Account Security Solution capabilities to proactively protect their ICS assets. CyberArk detects and contains cyber threats that could lead to downtime or put consumer safety at risk.

Industrial organisations face greater cyber security challenges today as traditionally air-gapped or segmented operational technology (OT) networks become increasingly connected to IT systems and the Internet, exposing critical ICS endpoints and other assets to aggressive threats like ransomware. According to a cyber security study of UK C-level board members, utilities is one of the sectors most exposed to cyber security risk when compared to other key sectors of the economy.

Protect against malware and ransomware attacks

Aggressive malware attacks targeting ICS have been a common denominator in several recent attacks in the energy and utilities sector, including the much-publicised power outage in the Ukraine and the attack on the Gundremmingen nuclear power plant in Germany. In other cases, highly threatening malware in the form of ransomware has impacted facilities like the Lansing Board of Water & Light (BWL), a Michigan municipal utility in the United States.

Of significant concern is the rise of ransomware attacks in the industrial space. According to a report from The Institute for Critical Infrastructure Technology (ICIT)1, “if a SCADA or ICS system in an energy, utilities or manufacturing organisation becomes infected with ransomware, then lives could be jeopardised in the time it takes to investigate the incident and return the systems to operation.” The report continues, “without an adequate investment in bleeding edge endpoint security solutions, ransomware will likely cause more significant harm much sooner.”

Now also available for ICS assets as part of the CyberArk Privileged Account Security Solution, CyberArk Viewfinity can help customers defend against malware and ransomware attacks by combining least privilege and application control to reduce the attack surface and block malware progression. CyberArk Viewfinity can help prevent malware from entering ICS computers such as Human-Machine Interfaces (HMIs) and other assets where significant damage can be done. It does this by automating the management of local administrator privileges and controlling applications on critical endpoints and servers.

According to the U.S. Department of Homeland Security2, implementing application whitelisting in top-hierarchy control computers such as HMIs represents one of the most critical steps in securing an ICS network. To help mitigate the risk of malware-based attacks, CyberArk Viewfinity enables organisations to control and whitelist applications as well as remove local administrator rights from HMIs; it seamlessly elevates privileges based on an organisation’s policy, as required by trusted (whitelisted) applications.

Advancing cyber security in industrial environments

CyberArk delivers privileged account protection for ICS by addressing the vulnerabilities originating from the connectivity between ICS, the IT environments, the internet and remote users. CyberArk helps customers in key ICS cyber security areas such as:

* Secure and Monitor Remote Access – In OT, supply chain management includes the oversight of users, both internal and external to the organisation, who require access to ICS networks. This access often involves remote connectivity sessions that can sometimes go unsecured and unmonitored for days or weeks. Updates to the CyberArk Privileged Session Manager v9.7 enhance usability across Unix and Windows environments. CyberArk Privileged Session Manager enables organisations to secure sessions between a remote user and the ICS targets, while allowing these sessions to be monitored and recorded. It also helps block the spread of desktop malware and mitigates the risk of credential theft.

* Identify Suspicious Activity – Unusual user activity or unauthorised credential use to access the ICS assets could be signs of an in-progress attack. CyberArk Privileged Threat Analytics v3.1 learns typical patterns of activity and continuously monitors privileged user and account activity and can identify and alert on suspicious activity. The alerts can be used by IT, OT and security teams to help detect, automatically respond and disrupt in-progress attacks, dramatically reducing any damage to operations and the business.

* Quantify the Risk and Reduce the Attack Surface – The first step in mitigating the risk of compromised credentials is for an organisation to identify all users, applications and associated credentials used for granting access into the ICS. CyberArk Discovery and Audit is designed to find privileged user and application accounts and credentials. The tool generates a full report of scanned assets that includes a list of accounts and associated credentials as well as account status related to the company’s security policy.

“In a world where a manufacturing line could be tampered with to impact the integrity of an automobile’s windshield or the efficacy of a drug, or an attack that could bring transportation systems to a halt, the implementation of risk-based cyber security programmes must accelerate,” said Roy Adar, senior vice president, product management, CyberArk. “IT/OT convergence and related cyber security risks can threaten uptime and consumer safety. Nearly all users in ICS environments require some level of privileged access and are therefore being targeted. Protecting ICS users and managing those risks should more closely mirror IT privileged account security best practices.”